RayC.54986 (Customer) asked a question.
Proof of Authentication or isLogin() for the Resource Owner Password Flow
For a native device using the Resource Owner Password flow and hitting /token with grant_type=password, what should the application look for as a proof of authentication? For example, I want to implement the isLogin() method. If it returns false, I want to show the user the login screen. Should we store the access token and/or id token and check if one of the token is still not yet expired, and if so return true? And if both expires, call /token with grant_typ=refresh_token to get a new access & id tokens? However, the tokens are short lived. In the old days, I would set a cookie and then have isLogin() to check on the cookie. Is there a better way in the Okta world to do this?
Hi Raymond- Looks like support has been able to answer this for you, see below. Let me know if you have further questions!
You are right with the approach. Your app could store the id_token/access token and refresh tokens. Your isLogin method could check the validity of the tokens and show the login screen if the tokens have expired. If you like to refresh the tokens, you could make use of the refresh token to get new id_token and access token.